[khemani]

Hello,

This isn't a bug, but a new feature that needs to be addressed for those connecting via an SSL-encrypted connection to an IMAP server that uses a home brewed certificate using Mail.app.

Mail.app in previous releases did not complain about mail servers with SSL certificates from unknown CA's, but does in Panther.

I have tried adding the certificate for the CA into the X509Anchors keychains -- this process works for allowing Safari trust SSL certificates issued by that CA. However, Mail.app does not seem to use the same keychain.

I noticed that in Panther that there is another keychain in /System/Library/Keychains: X509Certificates, and I tried adding the CA's certificate to that keychain also, but Mail.app still complained.

I also tried specifying for this CA cert that it should always be trusted (as opposed to using the system defaults), and Mail.app still complained.

By the way, when Mail.app complains, it asks you whether you want to cancel or continue. Continuing apparently does not have it connect and pick up messages.

Any direction anyone can provide would be most appreciated.

Thanks!!

[queritor]

I came across the same problem with self-signed certificates. There's a workaround here: http://docs.info.apple.com/article.html?artnum=25593

[geekwagon]

I would also like to know if there is some way to make this work. In the earlier dev builds the dialog box that asks you to continue had a tick box for "don't ask anymore" but it didn't work (it would still ask every time.) In the last couple of builds the tick-box disappeared.

I get the feeling this is one of many features that Apple left out in order to get Panther released in October. Hopefully it will return in a later point release as I don't want to have to start spending $150/year for an SSL cert for my private email server (that's assuming that Equifax is on their trusted CA list..)

Edit: ha, typed to slow. This post was on page 2 so I didn't expect someone else to be in the middle of replying.

Edit again: ahah, thats why the tickbox disappeared, my cert was expired. So I guess thats a feature, not a bug.

[MickS]

Originally posted by queritor:
I came across the same problem with self-signed certificates. There's a workaround here: http://docs.info.apple.com/article.html?artnum=25593

Has anyone been able to make this work. As soon as I click on the certificate icon in the window I get a wierd floating icon that I can't do anything with. Worse it stops Mail from doing anything.

I am stuck with having to click continue every time I login

[geekwagon]

Originally posted by MickS:
Has anyone been able to make this work. As soon as I click on the certificate icon in the window I get a wierd floating icon that I can't do anything with. Worse it stops Mail from doing anything.

I am stuck with having to click continue every time I login

Try the workaround mentioned in this thread on slashdot:



I haven't tried it because I haven't felt like creating a new cert that isn't expired, yet.

[MickS]

I managed to get the cert in then found out that I was using an old cert that didn't match the hostname I was connecting to

I've now generated a new certificate and everything works.

[qvr]

Originally posted by MickS:
I managed to get the cert in then found out that I was using an old cert that didn't match the hostname I was connecting to

How did you get the cert in? My Mail gets stuck everytime I try to move the icon.

[MickS]

Originally posted by qvr:
How did you get the cert in? My Mail gets stuck everytime I try to move the icon.

Perserverance. I kept force quitting mail and retrying until I got it onto the desktop (Option-click).

[khemani]

Originally posted by khemani:

Mail.app in previous releases did not complain about mail servers with SSL certificates from unknown CA's, but does in Panther.

I have tried adding the certificate for the CA into the X509Anchors keychains -- this process works for allowing Safari trust SSL certificates issued by that CA. However, Mail.app does not seem to use the same keychain.

(snipped)

Actually, this solution does work. Just a brain fart on my part -- I was adding the wrong certificate. Sorry for the confusion.

Thanks,
Yash